In July, we reported on the controversial move by the UK Government to pass the Data Retention and Investigatory Powers Act 2014 (‘DRIP Act’). This DRIP Act enabled telecommunications operators to understand what their retention obligations are, following the CJEU’s declaration back in April that Directive 2006/24/EC on the Retention of Data was invalid.
In response to the court’s decision, the Swiss Federal Council issued a statement that the ruling has no effect on Swiss laws. A legislative proposal to expand state powers on the law of telecommunications surveillance has already been approved by the Council of States. Currently, metadata must be stored for six months in Switzerland for possible law-enforcement purposes. The revisions would expand both the scope of the surveillance and the duration to 12 months. These proposals have resulted in furor among the Swiss, with hundreds of demonstrators protesting against data retention of communications metadata in May 2014.
The controversy is not confined to Switzerland, as the legality of the new UK DRIP Act is being challenged by a Member of Parliament who is seeking a judicial review about the whether the new legislation is compatible with Article 7 of the European Charter on Human Rights and Article 8 of the European Convention on Human Rights, each of which covers the right of respect for private and family life. In addition, the UK published draft Data Retention Regulations, setting out what information must be included in retention notices.
The debate over data and record retention or destruction remains a key and difficult issue for many companies, and the controversy about mandatory data retention periods remains in flux following the CJEU’s decision. It remains important for companies to stay abreast of legal developments on document and data retention, and ensure that they have an appropriate methodology for data deletion when such data is no longer useful or necessary to retain – a practice that can reduce businesses’ risk to legal exposure.